Changeset 2175 for draft-ietf-httpbis-http2/latest/draft-ietf-httpbis-http2.xml

Timestamp:

31/01/13 07:15:27 (10 years ago)

Author:

martin.thomson@…

Message:

Adding security consideration for pushed resources.

File:

• draft-ietf-httpbis-http2/latest/draft-ietf-httpbis-http2.xml (modified) (2 diffs)

draft-ietf-httpbis-http2/latest/draft-ietf-httpbis-http2.xml

@@ -1367 +1367 @@
 <t>Pushed resources do not have an associated request.  In order for existing HTTP cache control validations (such as the Vary header) to work, however, all cached resources must have a set of request headers.  For this reason, browsers MUST be careful to inherit request headers from the associated stream for the push.  This includes the 'Cookie' header.</t>
       </section>
+      
+<section title="Cacheability of Pushed Resources">
+<t>
+  Resources that are pushed is possible, based on the guidance provided by the origin server in
+  the Cache-Control header field.  However, this can cause issues if a single server hosts more
+  than one tenant.  For example, a server might offer multiple users each a small portion of its
+  URI space.
+</t>
+<t>
+  Where multiple tenants share space on the same server, that server MUST ensure that tenants
+  are not able to push representations of resources that they do not have authority over.
+  Failure to enforce this would allow a tenant to provide a representation that would be served
+  out of cache, overriding the actual representation that the authoritative tenant provides.
+</t>
+</section>
     </section>
 
@@ -1632 +1647 @@
 <section title="Since draft-ietf-httpbis-http2-01" anchor="changes.since.draft-ietf-httpbis-http2-01">
 <t>
-  None yet
+  Removed per-frame version field.
+</t>
+<t>
+  Altered flow control properties to include session-level limits.
+</t>
+<t>
+  Added note on cacheability of pushed resources and multiple tenant servers.
 </t>
 </section>